Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
On 12/01/16 15:27, Salvatore Bonaccorso wrote:
> My gut feeling about this: Since the issue was already present before,
> uncovered indirectly by the perl DSA, and currently affects twiki (not
> packaged in Debian), I would tend to ask the SRM to have the fix for
> libcgi-session-perl to be scheduled via the next Jessie point release
> rather than a DSA.
>
> Do you feel strong about having it the fix earlier via a DSA?
I don't feel particularly strongly about it being fixed by a DSA as we
have a workaround (though the patch I included previously is incorrect
and broken; the patch in RT appears to work).
That being said, ikiwiki (packaged) appears to use CGI::Session so I
would be surprised if it was not affected, assuming it uses the same
session storage driver.
HTH,
Chris
--
Chris Boot
Tiger Computing Ltd
IS27001:2013 Certified
Tel: 01600 483 484
Web: https://www.tiger-computing.co.uk
Registered in England. Company number: 3389961
Registered address: Wyastone Business Park,
Wyastone Leys, Monmouth, NP25 3SR
Reply to: